教义+ apigility:永远403禁止

I have a apigility backend running, integrated with doctrine.
When I do a POST http://localhost:8080/oauth with the following body:

{
  "grant_type": "password",
  "username": "jeff",
  "password": "test234",
  "client_id": "testclient"
}

I get a response like this:

{
  "access_token": "b10bee7e1b70d2cbb0e95f77caeac3b61707032c",
  "expires_in": 3600,
  "token_type": "Bearer",
  "scope": "DbAPI",
  "refresh_token": "bb440c03bd8df030615d6deaa35ed9b6ace84675"
}

Which is correct.
Next, I do a GET http://localhost:8080/oauth/resource, with the following headers:

accept: application/json
origin: http://localhost:4200 (my frontend, as allowed by zfr-cors)
authorization: Bearer b10bee7e1b70d2cbb0e95f77caeac3b61707032c

I get a response like this:

{
  "success": true,
  "message": "You accessed my APIs!"
}

Which is also correct!

BUT, when I do a request to GET http://localhost:8080/user (with the same headers as the request to /oauth/resource), I get a response like this:

{
  "type": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html",
  "title": "Forbidden",
  "status": 403,
  "detail": "Forbidden"
}

Which is NOT correct. When I disable authentication in the apigility web-ui, I get the correct response, which is an array of Users.

So, only /oauth/resource returns the correct info, the rest (when auth is activated) always returns a 403, even when using the correct access_token).

Is there any apigility/doctrine guru that can help me out?

As always, if you need more code snippets / info / screenshots, please let me know!